Data-sharing arrangements – what are the appropriate safeguards?
On 19 January 2021, the Court of Appeal in M v Chief Constable of Sussex Police  EWCA Civ 42 handed down a judgment in which it ruled against a teenager’s claim for judicial review of how information about her was shared between Sussex Police and a local crime reduction partnership, the Brighton & Hove Business Crime Reduction Partnership (“BCRP”).
The teenager - who was 16 years old at the onset of the case - was anonymised as M and claimed that Sussex Police’s disclosure of her personal information to the BCRP was unlawful. She also challenged the lawfulness of the Information Sharing Agreement (“ISA”) between BCRP and Sussex Police on the basis that the safeguards contained within the ISA were inadequate.
As an organisation, BCRP retained over 500 members including local businesses, retailers, bars and nightclubs. One of its main functions was the management of an exclusion notice scheme. Individuals who were subject to an exclusion notice were prohibited from entering its members’ commercial premises. M, as an individual of concern, was subject to such an exclusion notice. Namely, M had convictions for shoplifting and assault, as well as a history of going missing from home. As such, Sussex Police had disclosed to BCRP that M was considered by them to be vulnerable due to the risk of child sexual exploitation. M challenged the lawfulness of that disclosure to BCRP as well as the safeguards in the ISA between the two parties, which she argued were not sufficient for processing her sensitive personal data as a minor.
The High Court, in the first instance, dismissed M’s claim regarding the lawfulness of the ISA but upheld her claim about the illegality of Sussex Police’s disclosure and she was awarded £500 in compensation. M appealed in relation to the amount of damages she was awarded and Sussex Police cross-appealed regarding the finding that it had breached data protection principles.
The Court of Appeal dismissed M’s appeal and upheld the Police’s appeal. The Court held that information that M was at risk of sexual exploitation did not amount to personal data regarding her “sex life” and so was not “sensitive personal data” as defined under the Data Protection Act (“DPA”) 1998 (now known as “special category data” under the GDPR). In making its decision, the Court commented that sharing information about someone’s “sex life” could be considered the exact opposite of sharing information about the risks of their sexual exploitation, which is exactly what was intended to be protected under this category of data. The Court was also concerned that organisations could be discouraged from reporting risks of child sexual exploitation due to such procedural requirements.
In addition, the Court of Appeal found that the safeguards in the ISA were considered to be adequate. This is because the ISA set out a number of requirements to ensure that data was processed lawfully, including that the data would only be accessed by certain employees from BCRP who have achieved an appropriate level of vetting, that the processing of offender data was to be limited to individuals aged 14 and over, that processing children’s data would be subject to a legitimate interest assessment, that information would only be disclosed where necessary and on a case by case basis and that all information was recorded on a secure system with an appropriate retention period.
The case is important as it is one of the few to examine what amounts to ‘appropriate technical and organisational measures’ in the context of data sharing agreements between parties.
If you believe an organisation has misused your data or your data rights have been breached, contact our team at Saunders Law for advice on 020 7632 4300 or click the "Make An Enquiry" button above.